CVE-2023-2706

HIGH 8.1

OTP Login Woocommerce & Gravity Forms <= 2.2 - Authentication Bypass to Privilege Escalation

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

The OTP Login Woocommerce & Gravity Forms plugin for WordPress is vulnerable to authentication bypass. This is due to the fact that when generating OTP codes for users to use in order to login via phone number, the plugin returns these codes in an AJAX response. This makes it possible for unauthenticated attackers to obtain login codes for administrators. This does require an attacker have access to the phone number configured for an account, which can be obtained via social engineering or reconnaissance.

CWE	CWE-287
Vendor	xootix
Product	otp login & register woocommerce
Published	May 17, 2023
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for xootix otp login & register woocommerce

Be the first to know when new high vulnerabilities affecting xootix otp login & register woocommerce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

xootix / OTP Login & Register Woocommerce

0 ≤ 2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/b1b7b653-496f-467a-9513-4be1891f38ae?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mobile-login-woocommerce/tags/2.2/includes/class-xoo-ml-verification.php#L362 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2912731%40mobile-login-woocommerce&new=2912731%40mobile-login-woocommerce&sfp_email=&sfph_mail= lana.codes: https://lana.codes/lanavdb/87b5e80e-fd5b-47c3-bf82-088bdf4573b5/

Credits

István Márton